The server doesn't receive those headers and so the request doesn't work. The header names end up in Access-Control-Request-Headers header though so it has the value content-type,accept,authorization.Now I've come over this page https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers which says that this is the preflight request.My server is not configured for CORS and I have added host permission to access my localhost in manifest.json:

application/json triggers a preflight request. Using a content type such as text/plain will just send your request without first sending the preflight. Of course the server might not understand that it is JSON.

Presumably the preflight is failing because the server won't accept it? Perhaps OPTIONS is not one of the allowed http types?

Thank you @lithopsian.I think the Authorization header was the trigger for the preflight. It's still kind of strange that the browser treats all XHR requests from the addon as cross-origin with the same-origin concept maybe unrelated to the addon and also not mentioning that fact in the docs.I'll have to configure my server for CORS then. That shouldn't be an issue but what origins should I allow?The preflight sent from Firefox has the origin set to: 'moz-extension://e77d7dda-4ced-e948-8a43-20e899997f0c'.Is that something I can depend on being the same value for my addon even with updates?

I configured my server for CORS and now the preflight is going fine. The problem is that the browser is not following it with the actual POST I sent.Here's a screenshot from Firefox devtools:http://imgur.com/zvrQUSS

Only the OPTIONS preflight is sent on the left side. I also highlighted the response header on the right that effectively allows the moz-extension protocol.Is that a bug in Firefox?

Apparently the UUID part of the URL is randomly generated for each browser instance to avoid the possibility of fingerprinting. Of course that in itself allows for fingerprinting but possibly less harmful?

Not sure why the post doesn't follow. Have you tried it with hard-coded data? Is there nothing in the error console?